Tuesday, April 15, 2014

Transparent Firewall (IOS) and CBAC.

Sometimes you have to implement L2 firewall in your network. There
are many reasons to choose this solution and one of them is to preserve
your L3 design. On Cisco routers you can implement IRB (Integrated
Routing & Bridging) or CRB (Concurrent Routing & Bridging). The
first one allows on exchanging traffic between routed and bridged
interfaces. While CRB totally separate these types of traffic (L2 and
L3). If you need L3 interface together with L2 you have to add BVI
interface with IP from the same subnet as its neighbors

As we see from above tests we inspect traffic from the Windows client to R1 but we still can send any non-inspected traffic through the firewall
in both directions. There is no implicit deny at the end of the inspection
rule and to protect our network we have to apply the ACL. In our case we
apply the ACL on our OUTSIDE with direction ‘in’:

It means that returning traffic which is already inspected is not
controlled by the ACL applied on the OUTSIDE interface.
The newer version of firewall - the Zone Base Firewall (ZBF) - doesn’t allow
on any non-inspected traffic by default and you don’t have to apply any
ACL like with CBAC.